Product Endorsement Rules Of Engagement

When I started writing for Tripwire and some of the other information security websites that graciously publish my work, I had a few humble goals in mind:

• To raise awareness about security-related topics for the general public;
• To spark some thought and conversation about information security;
• To educate folks who are considering a career and just starting out in the information security field;
• To be more like my info-sec rock star friend, Javvad Malik.

I never expected that anyone would want me to endorse any products, but lately, I have received unsolicited requests to review and endorse some security products.

Generally I kindly decline these offers.  I am flattered by the solicitations, however, product endorsements do not satisfy my desire to help others in the InfoSec community.

However, since I am well-aware that I am not the only person who these companies approach for endorsements, I would like to take some time to offer some rules of engagement to help these companies increase their chances of convincing others to endorse their products.

Rule #1 for getting someone to review and endorse your security product:

If you want someone to go to your web site to review your product give them the name of the product and a way for them to find the correct link to the official site.

If you are selling a security product, chances are very great that the person you are contacting will not click on a link you provide.  Any decent security-minded person will seek out the official site from other sources and will check your product from there, not from an unsolicited link.

 Rule #2 for getting someone to review and endorse your security product:

Make sure that your web site does not generate a redirection notice.

Nothing raises a red flag faster than when your site indicates that it is performing a redirection.

Security professionals spend more than enough time warning our patrons to never follow redirections from one site to another.  Why would the manufacturer of a security product ever expect any security professional to ignore such a simple security practice?

Rule #3 for getting someone to review and endorse your security product:

Make sure that your site certificate is in order.

If your home page displays    in the navigation bar, indicating a certificate problem, that is going to cause most security folks to close that browser window and move on with their day.  Not all sites have implemented TLS on their home page.  This is not as bad as a certificate warning mentioned above.  If you are using a TLS Certificate, please obtain one from a trusted Certificate Authority.  Remember that a security analyst, researcher, or hacker will probably check this type of information before proceeding.

Rule #4 for getting someone to review and endorse your security product:

Beware of the Appeal to Authority fallacy.

This is a problem that is as old as Socrates.  If you want someone to endorse your product, check to make sure that they are qualified to do so.  Just because 9 out of 10 dentists like your encryption product doesn’t make it a good product.  No one has fallen for that fallacy since 1972.  If you want an endorsement for an encryption technology, ask a qualified authority on the subject.

I applaud all of the people who have taken the bold entrepreneurial leap to create some of the great security products that keep us safe.  Without your innovation, we would be in a very sad state.  While many would argue that we are no safer than we were 10 years ago, I am more optimistic.  However, if you want to add some real punch to your product, please follow the simple steps outlined above before approaching any security professional for a review and subsequent endorsement.

[su_box title=”About Bob Covello” style=”noise” box_color=”#336588″][short_info id=’83956′ desc=”true” all=”false”][/su_box]